ERPNext Cross-Site Request Forgery Vulnerability Allowing Account Takeover

A Cross-Site Request Forgery (CSRF) vulnerability exists in ERPNext versions 14.82.1 and 14.74.3. This vulnerability allows attackers to perform unauthorized actions such as deleting users, resetting passwords, and escalating privileges. The issue arises from inadequate CSRF protection on essential administrative API endpoints. If an authenticated administrator visits a malicious website, their session can be exploited to execute these actions without their consent.

Impact

Exploitation of this vulnerability could lead to unauthorized user deletions, password changes, and privilege escalations by allowing attackers to add roles to users.

Reproduction

To reproduce this vulnerability, an authenticated administrator must be tricked into visiting a malicious website. This site can host a script that automatically sends requests to the ERPNext API, performing actions like deleting users or changing passwords, all without the administrator's knowledge.

Remediation

To address this vulnerability, ERPNext should implement CSRF tokens on all state-changing API endpoints, disallow GET requests for actions such as saving or deleting, mark authentication cookies with 'SameSite=Strict', and require re-authentication for critical actions like password or role changes.